At Last, Some Progress on Do Not Track

Today, the Tracking Protection Working Group — the World Wide Web Consortium (W3C) group standardizing the “Do Not Track” privacy setting — hit a huge milestone. After three and a half years of effort, the Working Group has agreed to advance the Tracking Preference Expression (TPE) specification to Last Call status. Moving to Last Call is a big deal — it means that the Working Group thinks that the specification is complete and ready for review by the larger community. We’re seeking feedback from the outside world to see if there are technical problems we’ve missed. If you’re interested and have ideas to improve the specification, you can send comments to [email protected] until June 18.

A Brief History of Do Not Track

This has obviously been a long time coming. CDT and other civil society advocates first proposed Do Not Track at an FTC workshop in 2007. In 2010, then-FTC Chairman Jon Leibowitz endorsed the idea in Senate testimony, followed by formal endorsement in the FTC’s initial privacy report in December of that year. The notion behind Do Not Track was that in a world where users don’t have to legally consent to online cross-site tracking (a federal court said as much in 2001), users at least should have the ability to opt out. And for an opt out to be useful, users needed a global opt-out to turn off tracking all at once, not site by site (or ad company by ad company, most of which they’ve never heard of). Do Not Track was proposed as a persistent signal that would be sent to the entire online ecosystem that you didn’t want to be tracked. The White House and major trade associations also announced support for the idea in early 2012.

Mozilla’s Firefox was the first browser to allow users to send a Do Not Track signal with every web request, and the other browsers soon followed suit. However, there was not universal agreement on what exactly the signal was supposed to signify: What does tracking mean, exactly? Perhaps as a result of this confusion, few companies are currently changing their behavior in response to Do Not Track requests, and there’s no consistent way to even detect whether the signal is being honored or not.

What Tracking Preference Expression Does

The TPE specification that we advanced today solves several of these issues. The meaning of the Do Not Track signal is now standardized — it means you’re telling a server that you don’t want it to collect data about you across different companies’ websites. Do Not Track isn’t concerned (for the most part) with first-party data collection — it isn’t meant to stop Amazon from remembering what you do on their site, and the New York Times can still count the articles you read on NYTimes.com and recommend other articles to you based on that. However, the signal would tell an advertising network that sees you on different sites that you don’t want them to collect data about you across those distinct contexts.

TPE also provides a syntax for servers to respond back to the browser whether and how they’re honoring the Do Not Track request. The server can respond back “N,” signaling that they don’t collect data on you from site to site. Or they could send back a “D” saying that they don’t honor the signal at all. Or they could send back a “T” saying that yes, they do collect some data from site to site, but then they link to a resource that explains the limitations they put on that collection and use in a dedicated Do Not Track compliance policy. It’s up to the user (or browser) to decide whether that’s good enough.

Still More Work to Do

Obviously, it’s not scalable for any user or even browser company to assess millions of varying compliance policies for every web resource, so there need to be standardized rule sets that can be more reliably and usefully evaluated. That’s the next task of the Working Group. We’re currently working on a companion Tracking Compliance and Scope (TCS) specification that lays out a set of uses for which data can still be collected and retained even when a server receives a Do Not Track request. Under this standard, a server would respond back “T” (yes, I might be tracking you) to the user, but also signify that it only collects, uses, and retains data pursuant to the TCS rules. Currently, the TCS envisions the collection and retention of data that is reasonably necessary for the online ad ecosystem to function: security and fraud prevention, debugging ad frequency capping (making sure you aren’t served the same ad over and over again), billing, and auditing. There are proposals before the group to expand these uses to include cross-site analytics and perhaps even ad targeting. And there a lot of other contentious issues the group needs to decide on before moving that document to Last Call — including whether identifiers like cookies can be used, when data is deidentified (and thus out of scope since the data is no longer tied to a person or device), and what browsers and other user agents need to tell users about Do Not Track.

I expect we will see proposals for alternative compliance regimes within the Tracking Protection Working Group and from external groups. Privacy advocates may propose a code that is more restrictive, industry may call for more permissive rules. Ultimately, users (or more likely, browsers or other user agents) will probably have to whitelist the compliance regimes they recognize; servers that don’t respond with an approved regime (or send back a Disregard signal) may be technologically prevented from tracking the user or otherwise disadvantaged by the browser.

How servers will ultimately comply with Do Not Track requests — and how browsers respond — are important issues, and still very much undecided. However, today we’ve at least made significant progress in defining what the user is requesting, and providing a mechanism for servers to offer transparency about how that is honored.

Our goal is a privacy setting that lets users limit online tracking while still allowing companies to display ads. Stakeholders have good reason to agree to reasonable limitations on data collection, usage, and retention in response to user’s Do Not Track requests. If they don’t, the ever-mounting scrutiny of online data collection practices will continue, and regulators, browsers, and users will seek other, potentially more disruptive solutions.